Posts

Real World Web Application Security Testing

Introduction Web application security testing in the real world rarely provides opportunities for getting a reverse shell and ultimately “rooting the box” as is our usual goal in CTF scenarios. Nevertheless, it is very rare to find web applications with no significant vulnerabilities, and in my experience it’s nearly always possible to gain access to information and functions that are supposed to be restricted, often by getting access to the administrator account or equivalent.  In this post, I’ll walk you through the tried and tested techniques I’ve employed over many years to achieve consistently good results.  And before we get started, if you’ve ever read a web application pentest report you’ll most likely be very familiar with the many low-rated vulnerabilities that seemingly every site suffers from: Overly permissive CORS policy, secure flag not set on cookie, no anti-CSRF tokens, weak SSL ciphers supported etc. etc., the list goes on. I’m not going to talk about these types of i

Buffer Overflow Fun with Brainpan 1

Image
Brainpan 1 is a vulnerable VM by  @superkojiman  and was posted to Vulnhub back in 2013. I picked it at random while browsing through some of the older entries, looking for my next target. There is minimal information provided in advance, so it's a really black-box challenge. Great! Let's see what we can do with this ... Nmap revealed an interesting result - just two, unusual ports open and something weird going on with one of them: Checking them both out with a web browser, I got the following back: 9999 looked interesting so I fired up netcat and spent a bit of time interacting with the service: Ok so it was clear that this was an important service but without a password I wasn't going to get very far. I switched attention to the Python SimpleHTTP server on port 10000 and, after a quick look at view-source, decided that brute forcing some further files and/or directories was going to be required. I quickly discovered a /bin/ directory and wit

Learning Modbus TCP with ControlThings.IO

Image
Modbus TCP is a layer 7 communications protocol and a de facto standard in the field of industrial control systems. Having recently moved into the utilities sector I wanted to learn more about it. In this post I'll be taking a look at the Modbus TCP challenge included in the ControlThings.io  ICS pentesting distro and hopefully learning a little about Modbus along the way. So let's get started! The challenge itself is located at ~/Samples/Protocols/ModbusTCP. We have some pcaps, some reference material and some instructions as follows: Plant1-ModbusTCP.pcap This is an export of the ModbusTCP packets from the Plant1.pcap file Source: https://www.cloudshark.org/captures/76038eaa4a3b Modbus Challenges: - Which IP address is the master on? - How many slaves is the master talking to? - Is the master writing any data to the slaves? - Does the traffic spike in the middle related [SIC] to modbus? So first of all, we need to understand what are these masters and slaves being referred to

Understanding Proxies with SickOs 1.1

Image
In this post I will explore the  SickOs 1.1  VM by  D4rk  and explain how the Squid proxy enables us to access the Apache server on port 80. This isn't a walkthrough of SickOs as such but instead a deep dive into the proxy exploitation specifically. Although I knew how to compromise the VM, I realised that I didn't have it clear in my own head exactly what was going on with the proxy at the packet level and I wanted to fill in the blanks; hence this post. So we'll go through it step by step and take a look under the hood at what's really going on.  In this article, the two IP addresses in play are: 192.168.166.128: Kali (attacking machine) 192.168.166.138: SickOs (victim machine) So as we know, when we run an nmap scan we find that TCP port 3128 is open and that TCP port 80 most definitely isn't: So for the hell of it, let's try browsing to port 80 and see what happens. Well, no surprises in Firefox; we get a long, very boring wait while it informs us that it is